In a first major cyberattack reporting of the year, Nissan North America reported a serious incident of data breach on January 16, 2023. According to the report. a data breach incident exposed details of 17998 people in Nissan’s database, including 785 Maine residents. The data breach struck on 21 June 2021 and discovered almost three months later on 26 September 2022. The company blamed a third-party service provider for inadvertent disclosure and insider wrongdoing.
As per Nissan’s investigation, the breach impacted the data management of customer information, resulting in likely acquisition of this data by unauthorized groups. The breach was carried out by embedding a malware in the code during routing software testing. This malware code was temporarily stored in a Public Cloud, causing a second incident leading to access to unsecured Cloud repository.
We spoke to Maor Bin, CEO of Adaptive Shield about the lessons that business owners should take from Nissan’s data breach incident.
Maor said, “There are two main takeaways we can learn from the recent breach at Nissan. The first, that organizations granting external vendor access are increasing their vulnerability and risk of an attack. Security teams must constantly monitor and evaluate who has access and why. And secondly, the use of real customer data for development and testing purposes should be discouraged. Instead, organizations should strive to use synthetic data that mimics real data. We see problems arise because often, test environments are not prioritized for security and maintenance of good configuration hygiene compared with production environments. This is an Achilles’ heel for security teams. Using real data in testing environments, combined with low security and minimum safeguards, leads to data leakage.”
The exposed data included personal information such as customer’s full name, date of birth, and Nissan finance account numbers. Upon learning of the security incident, Nissan ensured the exposed database had been secured and launched an internal investigation. Upon completion, the company verified that an unauthorized person had likely accessed the personal data. There is no evidence that any of this sensitive information has been misused. However, Nissan is sending out notices out of an abundance of caution. In addition, the brand is offering all recipients of breach notices a one-year membership in identity protection services.
This is not the first time that Nissan North America faced a data breach. Nissan North America has experienced similar incidents before: a breach in 2021 that led to leaking of 20 GB of data, exposing market research, client acquisition data, and diagnostics.
Gal Helemski, co-founder & CTO/CPO, PlainID said, “In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.
Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented toward purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network.”
Amit Shaked, CEO and co-founder, Laminar said, “The increasing adoption of cloud data storage technologies, the proliferation of unknown or ‘shadow’ data that is not kept up to date by IT and security teams, the death of the traditional security perimeter and a faster rate of change for developers have all created a perfect storm known as the ‘innovation attack surface.’ It refers to the continuous unintentional risk cloud data users, such as Nissan and most other modern businesses today, take when using data to drive innovation. The innovation attack surface results from the massive, decentralized, accidental risk created by some of the smartest people in business — such as what happened in this incident. Customer data embedded within the code during Nissan‘s software testing was unintentionally and temporarily stored in a cloud-based public repository — a mistake anyone of us could make.
So how can organizations protect themselves from this innovation attack surface and prevent adversaries from getting their hands on sensitive company data? The key is to use agile cloud data security solutions that keep a real-time inventory of all cloud data, including shadow data, and prevent public exposure by automatically pinpointing when sensitive data is exposed. Having the dual approach of visibility and protection can prevent damages when mistakes happen.”
Jeremy Ventura, Director, Security Strategy & Field CISO, ThreatX said, “Third-party supply chain breaches are more prominent now than never. Organizations, no matter the industry, rely heavily on their third parties to provide services to their core business operations. Companies may rely on hundreds if not thousands of partners from logistics, transportation, cloud, web hosting, etc.
Top IT Cloud News:
It’s important to understand that supply chain cyber security threats are not just an IT problem but rather a core business problem. When an incident happens, it can have tremendous effects on all areas of the business. Attacking an organizations supply chain is very attractive for cyber criminals looking to get a foot into door. Meanwhile, companies are struggling to get visibility into their vendors and what data they have access to, enabling a risk management program and understanding risk acceptance vs risk avoidance.
While the good news is that no evidence has been found that information lost in the Nissan breach has been misused, it’s critical for organizations to properly evaluate all their third parties. I believe relying on pentests and certifications such as a SOC 2 is good starting point, but it is not the end all be all.”
It took Nissan North America more than 3 months to report the incident after a full-blown investigation. Cybersecurity leaders and CIOs should take a lesson from this incident about the vulnerabilities in their public Cloud and IT networking assets. Companies should be able to report such incidents in real-time and safeguard customer data in a more agile manner. Use of threat management and Cloud protection analytics solutions could salvage the situation.
Recommended: Lessons from the Past: Looking at Software